Shibboleth Developers

Over the last several months, we've tried to improve the ability of 
sites to install and operate the Shib software by introducing Install 
Fests; additionally, we've recently published on the shib web site 
the "checklist" that was developed to help Fest attendees. Both of 
these steps have generated some success stories; people do seem to be 
finding it easier to install and configure shib and the required 
dependencies. However, there seems to be a set of people that are 
still having trouble.... discussion of these situations led to the 
development of the "Quick Start Package" proposal. This note is a 
description of the current thinking about Quick Start, what its 
targeted at, and what it would contain....

-- initially, it would be targeted at Fedora systems..... later, this 
might be extended.

-- one goal here is to provide people with direct access to several 
different "working  installations".

-- the package would install shib + ALL  the dependencies (eg java, 
tomcat, etc). It would also contain supporting files and scripts to 
allow the new install to be easily moved among three possible 
configurations: operation in localhost mode, operational in bilateral 
mode, and operational in InQueue.

-- after the shell archive script runs, the machine should be 
operational in localhost mode. A user should be able to start X on 
the Fedora system, start a browser, enter the appropriate url (which 
we'll supply), and have the freshly installed IdP and SP components 
interact successfully.

-- the bilateral mode script would allow *any* browser user to enter 
the appropriate url and have the freshly installed IdP and SP 
components interact successfully. (The difference with localhost mode 
is that url's would no longer contain a hostname of localhost.) This 
script would generate and use self-signed cert's to have the two 
components trust each other.

-- InQueue mode would have the IdP and SP components  join the IQ 
federation. this would require configuring them to use cert's signed 
by a trusted CA.....

-- POTENTIAL CONCERN -- Scott has suggested that the Quick Start 
package contain a signing key for a CA trusted by IQ. Two reasons: 1) 
even a moron would now recognize the IQ cannot be trusted for 
realwork, and 2) this would greatly simplify the steps needed to 
reconfigure for membership in IQ.

-- the package would be a shell archive (tarball + script)

-- the tarball would contain:
        - java 1.4
        - tomcat
	- a directory containing scripts and config files, to be used 
in normal operation (eg a basic auth user.db file with Test Users in 
it), and by the three modes

- the shell archive script would:
        - install java
        - install tomcat
        - download and explode the shib IdP software
        - use rpm to install the shib SP dependencies and the Shib SP package
        -### configure the IdP software
        - copy shib files into the tomcat tree
        - make required edit's to  tomcat files (see checklist)
        - start tomcat, wait, stop tomcat

        -### configure the SP software
	- edit httpd.conf, to Include files containing items relevant 
to running both the IdP and SP

	(I may have missed a couple of items.... but in this note I'm 
more worried about the concept than the detail)

-- At this point, the system should be fully operational in localhost mode.

-- Supplied scripts would edit config files appropriately, and would 
use files included in the Quick Start package, to reconfigure the 
machine to bilateral or IQ mode.....